61a1422d91e70bce28ce695075bce73d75ecf574f494e7416f217d4e6238a305

Analysis

max time kernel
136s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-12-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MHDDoS-2.4.zip
Size

42KB
MD5

cdc757c00733c6d1b88f7d88f01af99e
SHA1

d73b6274a9f2e213f8e979073abca5c6383a83e3
SHA256

61a1422d91e70bce28ce695075bce73d75ecf574f494e7416f217d4e6238a305
SHA512

26f849233bc4c0d8fe5ba31519170eaf8eb3f6c7c7df533af9a20253e900971153d8317e4030938c4073899c15502af56b1733fc9ae118c8ebd5a5e85542e0ba
SSDEEP

768:SfOtMycGcvoKv2s/cKrhmnfHvOclr/b8gI/KKF6P1WLrTbvKAlW4GTI1qfqbdw7D:Smt5CZPt0DzogItLZKK/5wrxwo

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f74ec1dc-3dca-4ff5-9bca-791d9908393a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241222093215.pma	setup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133793334830809333"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 838397.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5440	chrome.exe
5440	chrome.exe
6680	msedge.exe
6680	msedge.exe
5948	msedge.exe
5948	msedge.exe
4744	identity_helper.exe
4744	identity_helper.exe
5624	msedge.exe
5624	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3156	7zFM.exe
2348	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeRestorePrivilege	3156	7zFM.exe
Token: 35	3156	7zFM.exe
Token: SeSecurityPrivilege	3156	7zFM.exe
Token: SeDebugPrivilege	1044	firefox.exe
Token: SeDebugPrivilege	1044	firefox.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3156	7zFM.exe
3156	7zFM.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe
5948	msedge.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
1044	firefox.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
2348	OpenWith.exe
1044	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 4716 wrote to memory of 1044	4716	firefox.exe	95
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4788	1044	firefox.exe	96
PID 1044 wrote to memory of 4164	1044	firefox.exe	97
PID 1044 wrote to memory of 4164	1044	firefox.exe	97
PID 1044 wrote to memory of 4164	1044	firefox.exe	97
PID 1044 wrote to memory of 4164	1044	firefox.exe	97
PID 1044 wrote to memory of 4164	1044	firefox.exe	97
PID 1044 wrote to memory of 4164	1044	firefox.exe	97
PID 1044 wrote to memory of 4164	1044	firefox.exe	97
PID 1044 wrote to memory of 4164	1044	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MHDDoS-2.4.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1872 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {889adbc5-13e1-405a-bad2-8ce2696aba42} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" gpu
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8b8843f-d0f7-4d18-b4ca-f99708a1903e} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" socket
    3⤵
    - Checks processor information in registry
    PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 1588 -prefMapHandle 3024 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ac7f75f-0a17-4540-9473-947da6126840} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
    3⤵
    PID:3016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 2732 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43415fc-522c-4d8a-9431-9c4d6a7d3981} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
    3⤵
    PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4864 -prefMapHandle 4848 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5b20e4e-4a69-4c14-9590-88fc40dd4096} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" utility
    3⤵
    - Checks processor information in registry
    PID:5204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 3 -isForBrowser -prefsHandle 5540 -prefMapHandle 5536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07417d64-7712-4455-b4c7-a8548b9e1e95} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
    3⤵
    PID:5956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbef040e-c1c8-4431-a073-81783f25bd94} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
    3⤵
    PID:6024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e1fc124-35cf-4df0-8067-6af827c67f49} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
    3⤵
    PID:6052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6236 -prefMapHandle 6232 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {402d13dd-fd7b-4f67-8a41-2ce2597103d1} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
    3⤵
    PID:4724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 7 -isForBrowser -prefsHandle 4364 -prefMapHandle 5544 -prefsLen 30533 -prefMapSize 244658 -jsInitHandle 980 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75d690cf-a9e7-4298-853a-92353b7f6370} 1044 "\\.\pipe\gecko-crash-server-pipe.1044" tab
    3⤵
    PID:5968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x1fc,0x228,0x22c,0x200,0x230,0x7ff844c6cc40,0x7ff844c6cc4c,0x7ff844c6cc58
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4648,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:3364
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff7cd484698,0x7ff7cd4846a4,0x7ff7cd4846b0
    3⤵
    - Drops file in Windows directory
    PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4416,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5276,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5356,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5324 /prefetch:2
  2⤵
  PID:5776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3896,i,9138102499250927340,3610825791486761918,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:6420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\CloseInitialize.htm
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x14c,0x150,0x154,0x11c,0x158,0x7ff857ff46f8,0x7ff857ff4708,0x7ff857ff4718
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:6692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:6876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:6924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:6148
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x7ff658ab5460,0x7ff658ab5470,0x7ff658ab5480
    3⤵
    PID:6204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:6968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:6948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:7036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:6328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6908 /prefetch:8
  2⤵
  PID:7040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,1922820722075039778,6682920946430624293,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5624
- C:\Users\Admin\Downloads\python-3.13.1-amd64.exe
  "C:\Users\Admin\Downloads\python-3.13.1-amd64.exe"
  2⤵
  PID:1948
- - C:\Windows\Temp\{2C2EF57E-8024-49F7-975B-59BA06BEF602}\.cr\python-3.13.1-amd64.exe
    "C:\Windows\Temp\{2C2EF57E-8024-49F7-975B-59BA06BEF602}\.cr\python-3.13.1-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.13.1-amd64.exe" -burn.filehandle.attached=728 -burn.filehandle.self=732
    3⤵
    PID:5184
- C:\Users\Admin\Downloads\python-3.13.1-amd64.exe
  "C:\Users\Admin\Downloads\python-3.13.1-amd64.exe"
  2⤵
  PID:5220
- - C:\Windows\Temp\{102F36F1-1059-4A8A-9E9F-47AF5BE47830}\.cr\python-3.13.1-amd64.exe
    "C:\Windows\Temp\{102F36F1-1059-4A8A-9E9F-47AF5BE47830}\.cr\python-3.13.1-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.13.1-amd64.exe" -burn.filehandle.attached=720 -burn.filehandle.self=728
    3⤵
    PID:912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
5f4fba4e20344ecf736b67f70aa1b314

SHA1
0089b97a18ac4cb3f63121eea64b6d89fbd06265

SHA256
f60d9bddab2e4dfe2e2afbb5595e37765365ee00c0b85b6ce221b10f1a87b7bb

SHA512
ded995446d7fd38515ec21bdd8c4c40404db3519d25887b738b96dbc2ec55dce1e0010f250852db22d3bab459046ea71edefa966e5a76baca214a4dbd7bf0eb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4d1b07b4e09bd6e1755e562ac2c42c68

SHA1
bb68627890503050e5fa66f6b9fa25e38c1d8920

SHA256
a4216ea2161ac5dc634158c82a3a74444c693d7d852dd46855bc5f8a22864291

SHA512
98d69f7f5d1aa09d3165de4f7885930b98a00b4d90a980d0e67fa4180c70b687f125bd631b702ce5fb1e586e66594e857bb64b616b9b8601fff3941c07d5b3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
561d084dd93bfc87ddd469f85b50a853

SHA1
5ad5d77861ec7872bb7444875a71e039ad0a9279

SHA256
a8cb3ddfce2fa03b21402abd2d1986fd569558ed1c4dc381e4fbdb6508656722

SHA512
50c5f7ae3638aeb5f3f59f47845fed2a6bcf04cbacbd9966673e771a6bc2c82d17ff459dd77444c7341e804cafcc5819c47a0c92703e57cc8b6ad6361cf6e29d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e5feb5277322f4fde2afe16c5168040

SHA1
354fe2a19d4f5de14bb55ddcc008f0131ac8c87c

SHA256
a6fd0cd7c5957a2db602a5ede1b4e68ba355785487e6062c43af522c3a95ada7

SHA512
c7ffee7a670cb936a41e132701093109a3db5c7409fc81a9f74136702144710ba1b33604f2bda304e370ddda5eeb060583502a5e8d27bca5c52477cf6f5749fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7509582bde46a425fca24b7ec9f1b49d

SHA1
1f6586aff63afd3589ca76888ae1736434561368

SHA256
0bebc51f169eb63caf7a851b192c208826a9f4b7d09816bf54165173c9324d43

SHA512
bddc71880302c0af51397aa98fed1d9625112f7c56f07aa770430cf7809ebbef0125f94018c6bea30e2c3da814c82e5312f3a1e8ad25858e4597789a28cb1795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ce154957e07a53b8501d6e9648ed553d

SHA1
a245d217a872068145af975526e817ef97ee8a9a

SHA256
43471f789cd0abd8fe94acfa92a996c5a6b702b878880aaddbe4d7364f1e8d4a

SHA512
0bee7cc40ef1567aad3887d52bf76a12a0d0dc83b825c80209b7d6a098c876adf9ae4268a0507cb8f17d5879f7c6f21719b628d0d6a74192c01c6498d97ac7ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6373f64b7f61e7c2d68a69bb40a27c79

SHA1
33e1e1c275164c361053a0764a7acdc703377312

SHA256
7b6d2627dd1806c95969451166ee38082ecec8420bc453cce4cb89cbe4bc9ba2

SHA512
3fbd28a6187d8344eb368b68330d54dc34ac5df6fae6f8636f2fcbda10b2e9914e1c7a9aa64c45013970eb256dbc04f725e8de0748da3a6ceca4aa667b5018a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f7be3d1c-5f32-4a63-b320-a607cb769439.tmp

Filesize
649B

MD5
054c97cbfa723e953c1e2807b21644ad

SHA1
f9ceb3125939c81853cb403aefe680020806f5e1

SHA256
934107f2405cf231d40aee56c6b68789eb3230ef92d4d22b90099775edc0e4d6

SHA512
94460b6ad4391039b1f0c66f27fb32b8a5b49cb1bb05955c037a821659edf666517b54453735744bc6d7168522850f076eaf01d62664669bfe692d3aabcc5a31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
917e40f7ba13b954742c7b961e75a5b1

SHA1
5b7c15c2522a0ed338ee6e74c7e09febc4adf7bb

SHA256
0e0ab2ba4f226a07ad10e65c08289a6a8c4a2390364c07650f57c918a233560c

SHA512
63311b52122aca35c144d23120dcd1b089ed48a8ef55c7fbc157b87ab73390b0876b27d3f73fedaae601a55102c264470368033cf19e18f5bf2bd610dc053fac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
e8301203b17128face256268f7770e45

SHA1
9ccf96e404696f462ae21fbc7d58153b999e5e24

SHA256
670394ba22208fb3a996e28cdb5ff6892ddce8fe8967820943ad0d9ce1625fbc

SHA512
3fc8a5da7583f4da3aa7c9b6244c49ce1871f7d1b89191ffe154b1b03bcca0ac23981689cf8423af33e8c6b35414219f80cdbc337776bd3cb918e088dd2ecd44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0889e005-302a-44cb-9a14-319ed4a1b83f.tmp

Filesize
8KB

MD5
dfe3cb1752fa2254cd5f99995eaaa4f9

SHA1
4fcfb005e51d4a77bd29c6cb5d3179779bc54ac7

SHA256
34ef12a73ca669f30525219de91d3e544f45fa54f14865a2401549ec96052e3e

SHA512
7c3bf252f936a07121c902f27f5f11003b5b2aa3469a2720ba614317e281af3c0420239a05aa32ca598978727b4417ea54da8022f44938d03b1eaa2705479c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c8c74ab5c035388c9f8ca42d04225ed8

SHA1
1bb47394d88b472e3f163c39261a20b7a4aa3dc0

SHA256
ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9

SHA512
88922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8978379b8b4dac705f196c82cddb401

SHA1
873169c69e4aaa8c3e1da1c95f3fc6b005f63112

SHA256
83528bc9af5e037e40f14bece26788301e4555a6164b31e6010d93d7d18f0afa

SHA512
2d73194d03ea51d4154ee9556950dee1e666720c4b53fe671cf2e7647889d480c2941757d6b9b4c60a29a6799478450136f4847b0bec5d4b6aa630d9ca856308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0ac82493-d6ff-4d64-801b-f1478709ceca.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
72b11f609d1bb5d05d37a4b0fb651131

SHA1
9ba6a0ace6f4c7c6ac8fd4522bb841a41cfcb474

SHA256
6aeda9d3393226a98dcbab32ddd2d6a5763ecef1a647d20b92778a76085a4d27

SHA512
7a55f7066fd485edcb9aaa0a236663d0849b2ac3ff243f10c5c58a6f2751ba01132845fafc567dcbd52623f2252b58609274c46576b8ca30ccb5034c6727f0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
64522f9c438139ab2be9c5a527c9474f

SHA1
037b27e752a1ec95a7a513b32c926f4cebdb6807

SHA256
b18ce1704cd0e19f51a8c016489248907b55748452edd190213fa58d4418e687

SHA512
f9eba3c4af6b95ef6a082dbbeddcb881096057189a5469ce41f5758a716f9d9df5e2c3239db721f280ce932ad89dd0654c484b01b71bbedc3c67d7b3ec42ed23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
7f6cdb304e58d387d620b611d873f2c0

SHA1
61cc7e3232b9ecab261ebe67e30f1c2dfdb7a11c

SHA256
2afdbde29810959499254b667e98edfbbc6acf9fcaea4abc0db2efec6a40b314

SHA512
d5ff1302e9b97add7e9b6540a012907b81dbc804e651e1185f7078ba4450e462ff1c4abe8fc8e17df81a4579189ef8526ed972fd66b9dffbf01fe5f33d15c0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad875b057f845bf5fc593eeeaf4f8620

SHA1
824a70163525395aac458da50b39033f9725399a

SHA256
f07f93d62b4ed3cc56ab2da83111adfa6b9bbd3fae9538fdd113b9900f1afe5b

SHA512
9be1973e5da2c8879e3a163bc2aeb107bfd327d9f43ea462c62e924555d74aa7294baffff5f4b031ee55474ca4400e322a054fb41faee5e8803d7bcaecbdedca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d92b78440c14f2dbf054e1bbfdd380b6

SHA1
2c2bcacb7139e04e0bfe43307341a08b41ea7c13

SHA256
70e5c6a68dae1157e9beffcc4adfa5f65581385c29b92674472f3cd31ee476d3

SHA512
addb26778da615de02d269af06c0a029bdde34c1222882be8d4280d624a8fee23e2314bd9aeb8f02afbab96fefa5a56a451a876a23171dd347a9693ea121fff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2eb8ec441098de674c2155356da1ff1

SHA1
61cb8f648d33d669f98251602f8e27edbe971250

SHA256
52b04d611ab4c4e1cf13d41c7562d0410faafdfc853d9c581c7eace8e798f5ad

SHA512
b5f20d968fc80b20cac35f572475b30f077a148108374723d8f15accc0cbd538c3c92bd7ab7751c935ac2e09e5c417793e6c6e70bf18d82d62ba40fdb9edf038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
671cfbd0275770e681ef4ede37140969

SHA1
ac145dd046e86ab6aff6340664c509c4fd5f1746

SHA256
dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823

SHA512
d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
55182d891d98ec9d988cec04bac8752d

SHA1
e18a06e1498ff69c1c2697df7e195cf922a92e01

SHA256
08dc082566b36f693f93e341a5eb4e93a95d5bfed35b952f5ddcf4a5d51e963d

SHA512
35b9bf0c05da26bcebb4e259deca27c84e28521aff5a27af8205624581d1b0a7da6350ee7de0a2329c9cbc1d8cf205c1487638196232cbe794aaa91b0d86d0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
5c7a84682f188ceac2d40b9b5b990a50

SHA1
fd0610fb10a9a8e00140ece153363bc895195f43

SHA256
caddba745e31893f10a01c42d3f3579b282059ad1914830caee0aa0181810369

SHA512
897d78b2296f963db5846549e6642fb999ad47cb128f0d339a557e71171265d806a2e4a402fe10e9ddf4c25601849372a5f77d94e15ba04f2ee5dc9680821d76

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\B12380E59E366D551CA91542483B50A71D3DB16C

Filesize
224KB

MD5
76081f68316e63106e84679224c24f68

SHA1
d061f32c70e9d06153af4ff55bdb4ee49d5ad951

SHA256
eb11e7a413d288439df013cee1e31887d66334ba3618191fcf8f7f1698bc7990

SHA512
68cfd194f50069899956358499d8c670f8fd5ac23064e06abb6af022fa2931bb32602a81dd0cea92039b08d5b3a91b592d939197a808efe6cc6a1144a4981ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO45CE9447\start.py

Filesize
59KB

MD5
fb0a5754c1eaf460d1df829b9ea054a6

SHA1
d3e53a2648c408324832ada82e2798424fab180d

SHA256
4a9338960064e349281cad644d3f384c30035989fd4e15c12475601f6b05dd0f

SHA512
12b041f21a13691ed70850c25c1bdc5ccc2e5eda23ee1a62cce8b04934fb21e96528380c1348e383c4f7ee65388bff7bb2495e60d162134c99ce449a38adb50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5440_927859963\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7f826468737cf4370d21a6ced8da7d99

SHA1
f1ebabcdbb191ca6176f9f58787ce6bb33b192f6

SHA256
6ede0d9c4382d226c6919b5ab183c7c757142ef691f3f5f31042e9c6a6d818c9

SHA512
d0a6f3f6e059d01537f8d1656d8f3c225247cb501918f76984c6cc1adf4f74ba26f17920dc443c430e96f95b7e3ebc00f721ced746f42a7431e23f6ba0450f63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5f51e94548aa4be150837605ed8c34bd

SHA1
6e65ebc4e1b51fe1400366b2347ef83136036fd1

SHA256
28f43ff48c73bd6fd025bb4701b9c7fe13e54a607686637a45f853dd46053dab

SHA512
7194220868ace55f4f77cce4647f593f6ed477a713ac2b7e23e8a30b401ba4ea8138b92df4db78c56f7a66499e228138380f0378be82c89b51940d09496315b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\AlternateServices.bin

Filesize
7KB

MD5
5a4bfa05adeee3b8742b5256c46d1792

SHA1
406a2d3cb5ce38bac7ec50e0ad4c28d2f12b8a7e

SHA256
bd4f2851ab237c8c32d9eecaea159d116a2c060e588ff659c97d013edbb7bd26

SHA512
bf093d843449b9661377a450ca398cc069507d789cfc9bdf63413d3f12fb9d148bce1119ca8609fc148f33b9763d06e5b893cf122beecee3691d14aa6c105f67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\AlternateServices.bin

Filesize
12KB

MD5
4324a7c238ad6a4b5e6ec94bf38608ef

SHA1
62f93902bde775c9a35c93ecbceca9f7350cf241

SHA256
775900c7901eed918ac636c185a4f0a8b88dd2b344f0947cbbdf749dffd3e087

SHA512
c28e8b0065d59356d79f3fd3e5f4efbf116d8165e5eba40eb5a11560348632f84a0c287f79e3ece6358e9378a02f23e3542507c3bf0f66ac37594556f404148e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3a64b26ced6e03c3c3891d541721ce15

SHA1
55479c103c0b10983a6f1cd75f3fcd8223ae9a1f

SHA256
3c6b26233551997e461ea4be59de2b54182ae920663e10a3df72664d6e7b1d3e

SHA512
db6df4977d379195ef54703986488207e9466841e4fe931aa3f4efe45e50a29b1245c98923437ece622209c4823652eb0117ea0ccd21c87b6047c3fbab7100e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
597aae307ce63b6805f97ab367133a7c

SHA1
7a798965d0aa964da1c6023e26e459edb75d9cb1

SHA256
459f550b60e65301e882d761cc4e8f492af937521df84100de23eb469a6110b5

SHA512
c48634bb67f01fee8f65bd7cc3fe1018b40776adc998323515defd48386acdc8a97097cd7e6d8ef2ca8de8555b772d450b5b71f061190fafe70c3c9f275fbe62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b1ba63123f3b4b13410676df5e3972e5

SHA1
fae314b2cdc308c244603b8f4005baf5a6a66772

SHA256
ff8c40cf3d11f3b765cbeb6c8a299c7149979dbb04f2d4f8a1d049a283e7c907

SHA512
8879ad7fabde2ce9058ee9dbae5099a52ff3cf3efbaa4ae13e13f1d89d2b54ffe66240ae5f2fff0a510be92043d74e31a1095746fa3ccbe2afa1e6aa4819e9e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ce1811fde45c94a18263d945f5d83df2

SHA1
dd0e0977faeef570ccfdc3c72ee9a162738433ff

SHA256
b7543df8e4fdc3692e4be86640c40de753e2802cb41dee371272e096c58725ad

SHA512
0878e27265d2ac0ddc8ca6f0370edc9f29482fc18dc47bb281dedc1285919d0dd8ceb86f6e441309809af0fba8db71e96d7f41b9a508981c18af1db407a78463

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\035f0d9b-aa2b-41df-8a78-e91fa7fe0944

Filesize
671B

MD5
dda4b6614cc2b47b62801bf4fe1e7fc5

SHA1
98fe842a89952bbc6baaa49d66934b4a8543a480

SHA256
4aa3a7093727a0afd2fd296a4e7e064fa62c2d80eed18d0a72f64cde6fb44486

SHA512
05ae142177f74faa3e753e55702ee31c911c4c3bd9628b8b14a8d8ee207f52ce532ee215e5710ff4f7bb9cbf55d5ed7f7c54b59ec18adb8d5120c3d36acec22c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\20a6273e-a418-47fc-a116-46542682b416

Filesize
25KB

MD5
8a0ac3b12dfd5b1d4b15e48b2716f36e

SHA1
23209825b4afaeb883c2c34b5516d7b505f3462d

SHA256
f8a149af8e0f7586c5a487bdef0af6bc52d97a37d368c7fc4939612e44521755

SHA512
188dc0637f225c4185202582a0931f94fe3fcf9731a5ab8bdee252a62cf96d29045b7a495ba5d1213c4b21d4ded1c5838c0df00bd0ff4509ede7576fdaa3bf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\383441a5-9c53-4760-8bf9-1b64cda93cc0

Filesize
982B

MD5
71ae15569d4cc49ca31ff98337932c02

SHA1
05948978649c7f02a197531f8e4d6b0921ef8882

SHA256
51e5b7a4e97c40ed67ce6376e49c026acbbce7857f729382c18e2dc63e9c8622

SHA512
7852fb8ba49bda95f511dcc9d2f202d66b3f7bf95926b2093f1af05bf792abcdb4618b21a02d2178d0957a31833304c4b1815b820e6a06fe65481346989cd942

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs-1.js

Filesize
10KB

MD5
4b1479547c0ecabccc91d73978ce5c53

SHA1
3ce4f9c24500f17181b78af8febe44cf42612ea3

SHA256
ca9685a3ba264ab168a4db08a9a05686f8f8d875ddd73cc831a1a43e74fa694b

SHA512
7a125f8ea49fe2d2df0022d028a339dc6a52f3d343357a00ece3d662455d4a7bae1f72155f4614403ac991974dbbc5a8c40d8f2ff697bdb4fcd439f4e9583e0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs.js

Filesize
10KB

MD5
e47e1d5f12addf188dbbe8b44999f973

SHA1
01e69706536d9f96e45d6947c1e2c7a216362a38

SHA256
2db90a6d8dbb2caa232a3b386fb1f10500dcb81f9b04cb250e7f49cecf16fb4c

SHA512
adfd854876f82b87bad61c82eb61599e0bc84d763fd790a654471e153d16f14e220833004d40d88c1869e026bad99ebbcfe55b1aeabc14eae4d1791bb355415e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs.js

Filesize
11KB

MD5
2bb44bb2c5e1569197526c8ade32f143

SHA1
5659fdd91148627cb3eebde63efc4c6f9d5a811b

SHA256
e4fb584b27590c28a72b3bd814a286d8998d1d878fbe4374152724aca941f190

SHA512
25adcdb4a69925d964f3b14182a2dfa5cba09c49d06a6b7151653d302b88a405a3c8223a145d62607c3b352788c114698040f8d1c84729d7e18af5c2f7131766

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionCheckpoints.json

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
c6a7e984246af3111c778cb2a579bf88

SHA1
bb4a6c9f80b8da1117438e88934dfd1b934f5ddc

SHA256
a202f0c162e95a0ad73cb708a359716495d28449c152b8601b6446cb4cd74e55

SHA512
3580e126ee4b8dff8f27bc0b8838464e348719cf05a4f1092aa7e6cd321d97296ca5316a1bc390bc9d8f0861ed65d63c18bd3027c3b6e05f287dd584ccf4a1b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ccaa6f683c55540b726f65c51ee9bc75

SHA1
c65534d6ca6b76f90d51b1c5773e80448922f429

SHA256
22f3bf11f4708526980d4e4364ce5dcd7c13b83ffd4cf33ca5ebcb814bed05db

SHA512
80146cb5c3672e07b2ed7950a3e3095407e601a3158f84795b329953b21af77a89bcd7e55317b0c754d1450648d729f313e43a8d9edb420d1ede7fab125fa11d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
12eada0bd19084ec2c975d2902e9d9a7

SHA1
19716a3075ea6ae8c2cf43867e08553c765a7d6f

SHA256
685f46b8dd1e164078e8ff004ae02dba2c2ccaaa9fd01666964cb0e94913eb1c

SHA512
7a3bd5da7f0ef3a4d26c483c5995a64732713fb524522bfca6b4017b68e21958d8c32b06819e5a8613e60011e8a0b4d4bd03d4726270a07a52065424a6047d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
2d884f954b0fdf654f988a1e691b6dc3

SHA1
65745e9b0d7c93b9f8b128fab09d34f46e851370

SHA256
14ad1704f9f1fdd6df298daab3e2735b8926d4fa6768ed311c2ff4e9dd0b4e07

SHA512
8820507ec489fe488d8c2bbb323dd2c68c188ffe36f9699b585626a55b313a8bad6ddddd225a036a852d6fad9c14a7c8c3a70f6f6b2711066f7c9e0536dbd6a5

Download Submit
C:\Users\Admin\Downloads\python-3.13.1-amd64.exe

Filesize
27.4MB

MD5
90176c0cfa29327ab08c6083dcdcc210

SHA1
cc0bcf37414be313526d63ef708fc85da3b693b1

SHA256
6b33fa9a439a86f553f9f60e538ccabc857d2f308bc77c477c04a46552ade81f

SHA512
5940aae44386f3622dee3f32e6a98073851a9f646da6bf3e04f050b9a9239e0ddf50b26e5e125154edc5bbebce7353d273950f1111e4ca5f2b4e2e4a7ac7cf92

Download Submit
C:\Windows\Temp\{29DA6D94-9E78-43FC-831D-A5D2982D0DA3}\.ba\PythonBA.dll

Filesize
692KB

MD5
e8cd5641cae8ae7e9f98b8a3b7096808

SHA1
dd587894cad3122c1719def17f8377bb2bbbc05e

SHA256
898474ad4074571813416e58667a3b8a233e12e656579726c178ec71f794b268

SHA512
53034732df45527389362c2cc53d3ba0390bc4c1a7700b7d61d774d1eecdfed43381311c63b38861215813a674eb3fe865821cb352606522987fb2cfed2856e1

Download Submit
C:\Windows\Temp\{29DA6D94-9E78-43FC-831D-A5D2982D0DA3}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{2C2EF57E-8024-49F7-975B-59BA06BEF602}\.cr\python-3.13.1-amd64.exe

Filesize
878KB

MD5
9bc2cfce73fe043e69c909fb1546dbbf

SHA1
8ee81917775b4bd60ea0592b2203d2219dc98cfa

SHA256
ba89d23a7c937c05feba316a927773faaf7becfb2279d9edac6cc11e31205e29

SHA512
4243b3923b998b21ed386750b179bf29bda164d6154e2f5cd744b361963c4e1025ed3d6d557f1cad672818a909cc8a5036cf14ccf4f5bdd1284db24156ad58e7

Download Submit